The discussion is a bit dated, docker now supports user namespaces such that apps can run as root inside a container, but are not root outside of the container.
I'm really confused why this creates an IPsec server AND an wireguard server, or do I read that wrong? Managing two server which basically do the same thing seems to double the attack surface without any gains. One selling point of wireguard is to be an easier but still as least as secure alternative to IPsec.
As long as you have a passphrase and don't actually circumvent it (by e.g. an agent) you basically already have 2FA (you need access to the key (on your laptop/pc) and you need access to the passphrase (in your head)). But physical 2FA (like smartphone based ones or smartcard based ones) are nice because you can remove them from your computer or destroy them. You can't "destroy" a passphrase, so passphrase and sshkey are not really "independent".
Are you disagreeing with the "secure alternative" or the "same outcome"? I thought the difference between ProxyJump and agent forwarding is the following:
Agent forwarding forwards the agent socket to the proxy server. Thus any ssh connection originating from the proxy server can reuse the agent, and with that has the same access to the agent as the originating host.
ProxyJump routes the ssh connection through the proxy host. The crypto takes place between originating host and target host, not between proxy host and target host. ssh connections originating from the proxy host can not access keys from the originating host.
But maybe my understanding of ProxyJump is incorrect?
Responsible disclosure is about not enabling third parties to leverage the disclosure to gain access. In this case the hacker did not disclose the security holes before they were closed for third parties (i.e. the hacker could only still access the hosts because he had access to the them in the past, new access was (hopefully) not possible anymore).
Which of course doesn't mean that the hacker should have just send an email to the matrix team.
fzf [0] has a history mode included and integrates nicely with fish. You just need to enable the fzf bindings [1], then CTRL-r will give you a (fzf) history searcher.